Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

security considerations regarding upload to server from another website



5:44 pm on May 20, 2009 (gmt 0)

5+ Year Member

This is not really php related even though the programming language is PHP.

I allow my members to upload images to my website from their PC. A member has request a feature where he can upload his images from his website.

I find this feature to be very interesting as I see many of my members having their images already on other websites and by enabling this feature I can encourage them to use their images from my competitor sites on my site.

So looking away from the legal issues, what security concerns can there be in my server trying to do a HTTP GET on a URL the member provided ?

Of course I will be validating the following:
1. transport is http
2. the extension is .jpg
3. The file downloaded is not larger than X Megabytes
4. The file is a valid jpg image file

Thanks in advance


9:05 pm on May 21, 2009 (gmt 0)

5+ Year Member

The security implications are the same: you are still putting a foreign file onto your file system!

The only difference, is that instead of the file coming directly from your user (file upload), it is now coming directly from a 3rd party web server.

Employ the same basic security guidelines to handle the file. The 4 things you mention are all good steps. Try Googling "PHP file upload security" for more specific concerns about uploading user files onto your system.


10:15 pm on May 21, 2009 (gmt 0)

5+ Year Member

I was thinking more in the lines of using my server to access external resources (like a proxy). I see it all the times with failed attempts in my access log


10:18 am on May 26, 2009 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member

what security concerns can there be in my server trying to do a HTTP GET on a URL the member provided ?

If I understand correctly this, member sets a link for an image that points to an external site. Now as your users browse pages on your site, some images may point to an external site (whatever was specified by the image links of your members correct?

If so then we have

your site:

external site:

Link to the image:

Here are few things that can be done.
Once the image link is set to your site member changes the content of the image to some adult content only for some ips or only on a specific time of the day.

Another case is he can set an authorization script inside hist /image folder that rotates. Now some members of your site will see a popup dialog prompting them to enter their credentials. Just use your imagination possibilities are unlimited.

So make sure of at least 2 things.
1. Make sure they upload the image files to your server (no hot-linking)
2. Validate the images.


7:50 am on May 28, 2009 (gmt 0)

5+ Year Member

enigma1 > you misunderstood. The issue is not to link to an external URL but to download from the URL and store the image on my server.


7:56 am on May 28, 2009 (gmt 0)

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

darkage... are you vetting the images stored, or just taking them willy nilly? Freely admit I'm a bit of a control freak. I want to control what appears on my sites.

And when push comes to shove I want my users to send me the images direct rather than point to a third party (where's the audit trail in that!)?


9:09 am on May 28, 2009 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member

darkage, best to have the users upload the images, then you validate/authorize them before displaying. Or maybe you can have instructions to upload their images on another server which you trust (there are services online for this I believe) and then have your server to automatically download them and store them.

But if you have your server to automatically downloads them, stores them and then are accessible without validation is no different than the hot-linking problems mentioned above.


Featured Threads

Hot Threads This Week

Hot Threads This Month